Deciphering Legitimate Interests
Under the GDPR

A report based on more than 40 cases from practice


Nymity and the FPF (Future of Privacy Forum) collaborated to compile this essential report to help organizations better understand how to use and apply legitimate interests: Processing Personal Data on the Basis of Legitimate Interests Under the GDPR. Its purpose is to help organizations better understand how to use legitimate interests as a lawful basis for processing, while also contributing to enhanced personal data protection for individuals.

The report identifies specific cases that have been decided at the national level by DPAs and Courts from the European Economic Area (EEA), as well as the most relevant cases where the Court of Justice of the European Union interpreted and applied the “legitimate interests” ground. The case represent multiple industries and are compiled into two lists: one for uses of this ground that were found lawful and one for uses that were found unlawful.

All of the cases discussed are found in the Nymity Research™ legal compliance software solution which contains over 25,000 References, including English translations of foreign documents.

There are over 40 cases discussed representing a wide variety of data processing activities from over 15 countries, such as:

  • Using key-logger software for employee monitoring
  • Use of GPS tracking data for private investigations
  • Disclosing health data for litigation purposes
  • Disclosing personal data for debt collection purposes
  • Sending emails without consent for electoral purposes
  • Publishing the sale price of homes that are no longer on the market
  • Recording employee misconduct

The summary of cases contains useful examples of how the “balancing exercise” is conducted in practice, as well as safeguards that were needed to tilt the balance and make the processing lawful.